CORPORATE COMPLIANCE

The word compliance can be defined as the act of adhering to or conforming with a law, rule, demand, or request. In a business environment, conforming to the laws, regulations, rules and policies is the part of business operations often referred to as "corporate compliance." Corporate compliance involves keeping a watchful eye on an ever-changing legal and regulatory climate, and making the changes necessary for the business to continue operating in good standing within its industry, community, and customer base. In a broader sense, corporate compliance extends beyond mere legal and regulatory conformity into the realm of promoting organizational ethics and corporate integrity.

The roots of corporate compliance efforts are found in the government contracting scandals of the 1980s. During those years, the Department of Defense received extraordinary charges for commonplace equipment. Investigations led to criminal convictions and monetary settlements for a number of companies providing equipment and supplies under contract to the U.S. government. In response to these events, defense industry companies wishing to contract with the government were required to develop corporate compliance programs to prevent such abuses in the future. Shortly thereafter, the U.S. Sentencing Commission established Organizational Sentencing Guidelines that offered more lenient fines and penalties for corporate violators that created voluntary programs to prevent and remedy violations of law and regulation.

Leniency under the Sentencing Guidelines is calculated. Upon a finding of guilt, the court considers the company's compliance efforts. This is done through the use of a culpability scoring formula set forth in the Sentencing Guidelines and applied to corporate conduct. Documented evidence of compliance efforts such as monitoring, auditing, corrective actions, and system modifications or redesign to prevent future problem behavior reduces the culpability score or degree of "guiltiness." Fines and penalties are then assessed based upon this score.

Beyond the Sentencing Guidelines, indirect incentives exist for businesses to create compliance programs. A company's intolerance for wrongdoing, evidenced by corporate action taken consistent with its corporate compliance effort, can speak volumes to federal prosecutors conducting an investigation of alleged wrongdoing. Where prosecutors determine that a company has high standards of conduct demanding employee compliance with law and regulation, it may be inferred there was minimal or no criminal intent by the organization to commit a wrongful act. The absence or reduction of evidence of intent then translates into a lesser charge or citation, particularly in a case where intent is a critical element of the crime or offense. Corresponding to the reduced charge, the fines and level of penalty are less than would be associated if a more serious (in degree) offense were claimed.

Compliance programs may also impact civil enforcement fines or penalties. If a company is found liable for wrongdoing (rather than guilty as in a criminal action), the existence of a compliance program may reduce the risk of a full-scale government investigation of the company. Short of a civil trial seeking monetary recovery, the existence of an effective compliance program often prompts government agency auditors to find human error rather than conscious misconduct led to a failure to comply with a set of rules. In these instances, leniency can be granted in the form of more favorable repayment terms and interest rates, and reduced civil fines and penalties.

A well-developed, established compliance program also helps a company avoid the imposition of probation or a corporate integrity agreement (CIA). The CIA is a mandated type of compliance program where timeframes for achieving targeted performance are aggressively short. Components of a CIA include staff education on general and specific compliance issues, establishing specific policy and procedures to minimize recurrence of the misconduct, auditing, and monitoring activities. Quite often these mandatory compliance programs call for the use of outside consultants to support business operations and/or provide objective documentation of progress toward fulfillment of the terms set forth in the agreement. CIA implementation is often expensive. Aggressive deadlines for achieving compliance milestones, multiple compliance targets, complexity of compliance issues, and the use of government-approved outside agencies are factors influencing cost.

Healthcare Compliance

With the decade of the 1990s came a warning from the Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS). The healthcare industry was not immune from prosecution and liability for fraudulent and abusive practices. OIG audits demonstrated that as much as 10 percent of U.S. government-funded healthcare expenditures were related to care that was not billed correctly, was not medically necessary, or was never delivered to the patient. There were additional concerns about the adequacy of care being delivered in the United States and concern about the reporting of health organization costs. Fraud and abuse are the terms often used in reference to these types of practices.

HHS and the OIG projected savings to be billions of dollars per year if concerted efforts were made to minimize such practices. Several initiatives were considered. One was a curative approach, whereby fraudulent or abusive practices would be investigated and prosecuted. Another was enlisting the voluntary aid of the healthcare industry to implement prevention programs. Given the magnitude of the problem, and the high cost of investigating and prosecuting fraud, the OIG determined that a cost-effective solution to minimize fraud and abuse was to emphasize prevention over law enforcement investigation and prosecution. With this thought, HHS and the OIG embraced the defense industry's compliance concept along with the Sentencing Guidelines and established the first government healthcare compliance guidance in 1997.

The initial guidance was written for laboratories. OIG compliance guidance is available for other care delivery settings such as hospitals, long-term care, home healthcare, hospice, physician offices, and support services such as medical coding and billing companies. On April 23, 2003, the OIG issued compliance program guidance for pharmaceutical manufacturers.

Early Healthcare Compliance Efforts

Initial OIG-written commentary for healthcare compliance programs focused on internal controls. Healthcare organizations were encouraged, for example, to develop protocols for insurance claim processing and billing, to properly use codes(e.g., diagnosis related group assignments for inpatient hospital service classification and payment), and to ensure patient freedom of choice. Hospital contracts with physicians that encouraged over-utilization of services prohibited by anti-kickback law were also high on the regulatory list of concerns. Yet other compliance efforts focused on provider or entity compliance with governmental and private insurer documentation guidelines, medical need for service, timely refunding of overpayments for services (e.g., refunding credit balanceS), and document retention and destruction policy.

By 2003, it was not unusual to find defined compliance departments within healthcare organizations. The actual name of the department may vary from simply the "corporate compliance department" to the "business practices office." In some organizations, corporate compliance, internal audit, and corporate ethics are combined or maintain close working relations. Independence of review and periodic reporting to senior company officials are two key aspects of any compliance function. Some compliance offices also have advisory committees to assist in various compliance endeavors. At least one organization is known to have a combined compliance and corporate ethics advisory committee. Consistent with the OIG guidance, compliance officers are instrumental in developing or assisting to develop comprehensive policy on OIG target areas, staff training, monitoring, and auditing.

Effective Healthcare Compliance Programs

Little has been published as to what constitutes an "effective" healthcare compliance program. The OIG initiative broadly encourages healthcare providers and entities to conduct business in a manner that conforms to federal and state law and regulations. Similarly, regulatory agency expectations of compliance initiatives vary with the size and complexity of the entity and monies available to fund compliance efforts. For example, a small family practice physician operating an office in a rural location is not expected to have the same size, scope, and sophistication in terms of a compliance program as a healthcare organization with 1, 000 or more beds spread over multiple care delivery sites in a highly populated urban setting. Recent enforcement activities, however, demonstrate that staff compliance education and an entity's ongoing commitment to "following the rules" are key components to proving effectiveness, regardless of the entity's size and complexity. Ineffective programs may not provide the same leniency and opportunities as have been discussed above.

Development of an effective program includes ongoing review and revision of the program based on the emphasis found in the annual OIG work plan. A review of current and prior work plans reveals a continuing focus on payment, billing, and claims processing issues. The OIG also releases a number of publications and opinions throughout the year that advise healthcare providers and entities such as hospitals, home health agencies, extended care facilities, etc., on prevention, detection, and resolution methods for suspect practices. Other OIG publications and opinions clarify subject areas to better enable compliant conduct by health organizations.

Consistent with the expansion of regulatory agency focus, areas of compliance concern have expanded to include issues such as quality of care, maintaining patient privacy, eliminating healthcare errors, maintaining occupational safety, enhancing staff understanding of clinical and business ethics, and eliminating or minimizing conflicts of interest. Specialty areas of the law that were topics for compliance discussion in the early twenty-first century encompass employment law, environmental law, tax law, and intellectual property law. This broadened scope has prompted many organizations to revise and reprioritize compliance programs to incorporate standards of behavior that address organization expectations on existing as well as new focal areas.

Essential Elements of a Healthcare Compliance Program

Common elements of any healthcare compliance program incorporate the following:

1. designation of a high-level entity officer to lead the compliance program;
2. documented standards of behavior that are described in more detail in the entity's policies and procedures;
3. compliance training for staff with regular updates to maintain awareness;
4. establishment and maintenance of a readily available anonymous communication process for receiving complaints and concerns (i.e. telephone hotline, suggestion boxes);
5. procedures for protecting healthcare whistleblowers;
6. maintenance of a system for responding to complaints in a timely manner;
7. documented disciplinary action procedures for violations of law, regulation, or compliance policies of the entity;
8. planned auditing and monitoring activities to reveal areas where compliance issues exist, and to monitor correction actions for effectiveness;
9. defined investigation processes;
10. a procedure for initiating the entity's process improvement procedure to correct system process problems;
11. a process to address employment decisions for persons who are temporarily or permanently barred from participating in the care of patients who are beneficiaries of a federally-funded healthcare program.

Operating a Healthcare Compliance Program

Using OIG guidance materials, the compliance officer and compliance committee members develop and direct activities based on governmental and organizational identified areas of concern. The compliance officer should have direct access to both the chief executive officer and the governing board of the organization whenever necessary to ensure timely communication of pertinent issues.

It is important for the organization leadership to grant oversight authority to the compliance officer and committee members for monitoring, auditing, and corrective action activities of the corporate compliance program. Additionally, leadership should support the compliance officer's establishment of alternate methods of communicating with employees to encourage anonymous reporting of compliance issues. It is essential for employees to view the compliance officer as a non-threatening source of education and empowerment, a person they may seek out to resolve concerns without fear of discipline, retaliation, or retribution for reporting a concern.

Establishing a Corporate Culture of Compliance

An organization must be committed to compliance efforts in order for the program to be effective. Establishing written standards, policies, and procedures demonstrates acceptance by senior leadership and delineates behavioral expectations for all employees, governing body members, officers, management, physicians, contractors, and business associates of the organization. Beginning with a statement describing the organization's mission and vision (goals for the future), the organization guides conduct by defining a potential compliance issue along with the conduct standard and examples of appropriate behavior. An illustration of this concept:

• Mission statement: To provide excellent healthcare for our patients and the communitieswe serve.
• Vision statement: We are committed to the highest level of organizational and professional excellence and will serve others with respect for individual dignity.
• Performance Standards: Greet everyone with direct eye contact and a smile; At the end of an interaction, "ask is there anything else I can do for you?"; Provide information and give updates at specific intervals as promised.

It is important to write components of a compliance program at a reading level that the majority of staff can understand. It is also important to make the conduct requirements accessible to employees so they can be easily referenced. Since laws and regulations change and the OIG, HHS, professional review agencies, fiscal intermediaries, and carriers identify different areas of concern over time, compliance requirements must be updated to reflect behaviors required for the organization to remain in compliance.

A significant portion of the compliance officer and committee members' roles involve establishing and maintaining positive relationships with others in the organization. In maintaining a level of visibility and collegiality, the compliance officer is more likely to be in a position where opportunities for improvement can be identified and ethical behaviors can be positively reinforced. Likewise, visible, approachable committee members are likely to find less resistance to monitoring and auditing activities. Without these positive relationships, compliance activities may be impeded by efforts to thwart data access and collection for fear of poor audit results and the demand for time-consuming responsive action plans by management. While the compliance officer and committee members are often the most visible leaders of corporate compliance efforts, it remains important for organization leadership and management to mentor employees, encouraging responsible and ethical behavior in the workplace.

Strategies for Maintaining a Compliance Program with Limited Resources

The number of personnel assigned to the compliance department or to assist with compliance functions varies from organization to organization. The size of the compliance department and level of sophistication of the compliance program is not directly proportionate to organizational size and complexity. Given the limited size of many departments, a compliance officer must often utilize a variety of strategies to maintain the continuity of compliance program activities.

One strategy involves enlisting managers and supervisors of other departments to join in conducting and evaluating daily monitoring activities, and participate in development and implementation of solutions to issues raised. Compliance department staff or internal audit personnel may check on these efforts through quarterly or annual audits. If needed, in-depth analysis may be conducted by outside consultants.

Another strategy involves using work groups or task forces to assist with monitoring and auditing functions. The groups are formed from members of departments with specific but related functions (i.e. patient registration, patient accounts, collections, and coding). By doing this, members are exposed to the compliance program in action. Work group members engaged in program activities often become ambassadors and assist in enhancing the compliance culture within the organization.

Improved organizational performance can be a practical result from compliance work group efforts. Compliance initiatives may reduce payment collection times and rejections rates. Compliance initiatives may also resolve long-festering issues that impede work completion and flow. With the compliance officer acting as a mentor, information resource, and support person, multiple work groups may simultaneously be engaged in compliance activities, thus improving organizational compliance effectiveness in an efficient, thoughtful manner.

Providers Excluded from Federal Health Programs

Compliance initiatives must also implement steps to ensure practitioners and entities excluded from federal health program participation are not employed or used by the company. By partnering with numerous departments in an organization, a small compliance program can coordinate the monitoring of governmental databases to ensure excluded persons or entities rules are followed. If a monitoring process is ineffective, the organization is likely to realize a significant financial impact because federal programs such as Medicare, Medicaid, or Tri-Care will not reimburse services ordered or performed by these excluded providers.

The monitoring requires that the compliance officer or designee review the Health and Human Services Office of the OIG Excluded Provider database and the General Services Administration database at periodic intervals. The review process and subsequent response activities incorporate human resource, medical staff credentialing, materials management vendor selection, and contractor selection functions within the organization. Legal counsel must be included in these compliance activities to ensure that organization contracts incorporate provisions that impose an affirmative duty on contracting parties to communicate anticipated or actual government action that may result in the party becoming an excluded provider. Action in response to a finding of exclusion may involve, for example, contract termination, termination of employment, or loss of medical staff membership and privileges at the organization.

Corporate Compliance Programs and Organizational Ethics

Partnering within and among organization departments and functions appears consistent with OIG commentary on effective compliance plans. OIG writings suggest that organizations create and foster compliance efforts that conform to legal and regulatory directives as well as enhance the commitment to ethical clinical and business practices within the corporate culture. Though some similarities exist, ethicists caution that corporate compliance must be viewed as distinct from organizational ethics; each has a unique focus.

Corporate compliance programs focus on establishing a floor or minimum level of appropriate behavior for the organization in order for the organization to conform to legal and regulatory requirements for a given industry. The appropriate behaviors are communicated through the compliance program's conduct standards, policies, and procedures. In behaving appropriately, the organization avoids sanctions and maintains its reputation within the community.

Alternatively, organizational ethics focuses on the realm of behavior where no legal or regulatory requirements exist; where equal priorities compete and where individual values, interests, and beliefs differ to the extent that no "right" answer is readily available. In healthcare entities, organizational ethics faces the additional challenges of reconciling priorities often at the level of life and death seriousness. Individual, professional, and societal values and beliefs; competing interests among parties involved in a controversy; the rights of the patient, other individuals, and the organization must be considered in organizational ethics activities.

Unlike corporate compliance programs, organizational ethics is not a new concept in the business world. The curriculum in secondary education and beyond has included courses in business ethics and corporate responsibility, and coursework in these areas has existed for decades. There are, however, few healthcare industry examples of formal organizational ethics functions. Organizational ethics programs should not to be confused with clinical ethics functions.

Healthcare Clinical Ethics and Institutional Review Boards

In contrast with organizational ethics efforts, a number of healthcare organizations established clinical ethics programs within their organizations in the 1970s and 1980s. These efforts were often driven by the need to address ethical and legal dilemmas associated with patients or families seeking to terminate care or refuse care associated with the end of life, often in the absence of state law. In other cases, there was a need to address differing family and patient perspectives on what care should be given outside terminal illness settings. Even with greater clarity on the patient's right to refuse treatment, organizations still needed a defined, deliberate process to address the bioethical and legal issues associated with such decisions.

Another catalyst for establishing a clinical ethics program was the Federal Drug Administration requirement that called for creating an institutional review board (IRB) to protect the patient's rights in clinical research activities. For example, IRB members review research proposals to ensure the patient receives pertinent information about a study prior to agreeing to participate in it, and that adequate safeguards are in place to protect the patient.

Unscrupulous Activities Toll

In 2002, a number of U.S. corporations were fraught with business practice scandals. The "ripple effect" caused people across the country to watch helplessly as their retirement plans and stock portfolios withered after an international accounting firm and several major corporations ceased operations. Senior executive interest in the business practices of their industries and their organizations was heightened. A nationwide focus developed whereby corporations looked to ensure that their staff understood that compliance with industry-specific accepted business practices was an expectation. Likewise, staff were to conduct themselves in an ethically responsible manner in workplace activities.

It is clear that the federal and state governments were alarmed by these business scandals and the subsequent effects felt by the citizenry. Consequently, government began scrutinizing corporate business practices in an unprecedented manner. Thus, it may be prudent for all organizations, for-profit and nonprofit alike, to expand compliance programs to include an organizational ethics function as well.

Single Purpose

For one healthcare organization, the foregoing concerns coupled with a discussion of other real-life scenarios and case studies prompted senior leadership and the governing board to encourage the development of a coordinated approach to these issues. By expanding the scope of corporate compliance activities to incorporate organizational ethics and responsible business practices, the organization hopes to operate compliant with law, regulation, and ethical principles (Oakwood Healthcare Inc.). By 2003, a committee had been formed including compliance, ethics, finance, legal, religious, human resource, operations, and internal audit representatives. By appointing members with different perspectives, the committee provides a balanced approach to complex legal, regulatory, and ethical issues. Uniting ethics and compliance supports the effort to do the "right thing, " and that, as many say, is the essence of ethics and compliance.

jonathan p. horenstein

SEE ALSO: Conflict of Interest; Environmental Policy andLaw; Genetic Engineering, Human; Healthcare Institutions; Healthcare Management Ethics; Hospital; Law and Bioethics; Managed Care; Medicaid; Whistleblowing in Healthcare

BIBLIOGRAPHY

Davis, Joe and Vann, Rita. 2001. "Quality of Care Receives Increased Emphasis by Enforcement Authorities." Journal of Health Care Compliance. 3(6): 28, 62.

Josephs, Al. 2001. "A Conversation with Kristin Jenkins, Compliance and Quality Officer." Compliance Today 3(5): 13–19.

Kohn, Linda T., et al., eds. 2000. To Err Is Human: Building a Safer Health System. Institute of Medicine.

Randall, Deborah. 2001. "Compliance Concerns in the Home Health Prospective Payment System." Compliance Today 3(5): 6–9.

St. John Health System. 1998. Corporate Compliance Training Manual: Facilitator's Guide. Detroit: SMS Inc.

Weber, Leonard J. 2001. Business Ethics in Healthcare: Beyond Compliance. Bloomington: Indiana University Press.

INTERNET RESOURCES

United States Department of Health and Human Services — Office of Inspector General. Fraud Prevention & Detection Compliance Guidance. Available from <www.oig.hhs.gov/fraud/complianceguidance.html>.

United States Department of Health and Human Services — Office of Inspector General. Work Plan Fiscal Year 2003. Available from <www.oig.hhs.gov/publications/workplan>.

United States Sentencing Commission. Federal Sentencing Guidelines Manual and Appendices. 2002. Available from <www.ussc.gov.guidelin.htm>.